a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The contents of this file are subject to the terms
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * of the Common Development and Distribution License
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * (the License). You may not use this file except in
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * compliance with the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * You can obtain a copy of the License at
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * https://opensso.dev.java.net/public/CDDLv1.0.html or
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * See the License for the specific language governing
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * permission and limitations under the License.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * When distributing Covered Code, include this CDDL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Header Notice in each file and include the License file
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * If applicable, add the following below the CDDL Header,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * with the fields enclosed by brackets [] replaced by
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * your own identifying information:
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * "Portions Copyrighted [year] [name of copyright owner]"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * $Id: SPSSOFederate.java,v 1.29 2009/11/24 21:53:28 madan_ranganath Exp $
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper * Portions Copyrighted 2011-2015 ForgeRock AS.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.federation.common.FSUtils;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSConstants;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.liberty.ws.paos.PAOSException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSHeader;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.liberty.ws.paos.PAOSRequest;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml.xmlsig.KeyProvider;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.assertion.AssertionFactory;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.QuerySignatureUtil;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2Constants;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2Exception;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2FailoverUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SAML2Utils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.common.SOAPCommunicator;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.ecp.ECPRelayState;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.entityconfig.SPSSOConfigElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AffiliationDescriptorType;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.AssertionConsumerServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.EntityDescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.IDPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SPSSODescriptorElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.jaxb.metadata.SingleSignOnServiceElement;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaException;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaManager;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.meta.SAML2MetaUtils;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.plugins.SAML2IDPFinder;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.plugins.SAML2ServiceProviderAdapter;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.plugins.SPAuthnContextMapper;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.AuthnRequest;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.Extensions;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.GetComplete;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.saml2.protocol.IDPEntry;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.NameIDPolicy;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.ProtocolFactory;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.RequestedAuthnContext;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport com.sun.identity.saml2.protocol.Scoping;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.datastruct.OrderedSet;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Fosterimport com.sun.identity.shared.encode.URLEncDec;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbingsimport org.forgerock.openam.federation.saml2.SAML2TokenRepositoryException;
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Lunaimport org.forgerock.openam.saml2.audit.SAML2EventLogger;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * This class reads the query parameters and performs the required
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * processing logic for sending Authentication Request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * from SP to IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Error retreiving metadata"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param metaAlias metaAlias to locate the service providers.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entityID of Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.The key in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * map are of the type String. The values in the paramsMap
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * are of the type List.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Some of the possible keys are:RelayState,NameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * reqBinding, binding, AssertionConsumerServiceIndex,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AttributeConsumingServiceIndex (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * isPassive, ForceAuthN, AllowCreate, Destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthnContextDeclRef, AuthnContextClassRef,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthComparison, Consent (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthLevel, and sunamcompositeadvice.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * @param auditor the SAML2EventLogger to use to log the saml request - may be null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna public static void initiateAuthnRequest(final HttpServletRequest request,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final SAML2EventLogger auditor) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the sp entity ID from the metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = SAML2MetaUtils.getRealmByMetaAlias(metaAlias);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate : spEntityID is :" + spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate realm is :" + realm);
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna initiateAuthnRequest(request, response, spEntityID, idpEntityID, realm, paramsMap, auditor);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("SPSSOFederate: Error retreiving spEntityID from MetaAlias",sme);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaAliasError"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the SP Entity ID from the metaAlias.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param metaAlias the metaAlias String
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the EntityId of the SP from the meta Alias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException if there was a problem extracting
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getSPEntityId(String metaAlias) throws SAML2MetaException {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds the Authentication
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param spEntityID entityID of Service Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param idpEntityID entityID of Identity Provider.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param paramsMap Map of all other parameters.The key in the
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * map are the parameter names of the type String.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * The values in the paramsMap are of the type List.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Some of the possible keys are:RelayState,NameIDFormat,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * reqBinding, binding, AssertionConsumerServiceIndex,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AttributeConsumingServiceIndex (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * isPassive, ForceAuthN, AllowCreate, Destination,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthnContextDeclRef, AuthnContextClassRef,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthComparison, Consent (currently not supported),
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * AuthLevel, and sunamcompositeadvice.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna * @param auditor the auditor for logging SAML2 Events - may be null
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error initiating request to IDP.
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final HttpServletRequest request, final HttpServletResponse response, final String spEntityID,
6ee2adce4b7ba1c7cdee88dce16cc901d1a1e1ceDavid Luna final String idpEntityID, final String realmName, final Map paramsMap, final SAML2EventLogger auditor)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (FSUtils.needSetLBCookieAndRedirect(request, response, false)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("SPSSOFederate:Service Provider ID is missing.");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.INVALID_SP, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("nullSPEntityID"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.error("SPSSOFederate: Identity Provider ID is missing .");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.INVALID_IDP, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("nullIDPEntityID"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String binding = getParameter(paramsMap, SAML2Constants.REQ_BINDING);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: in initiateSSOFed");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate: spEntityID is : " + spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate: idpEntityID : " + idpEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retreive MetaData
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("errorMetaManager"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Map spConfigAttrsMap = getAttrsMapForAuthnReq(realm, spEntityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SPSSODescriptor
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SPSSODescriptorElement spsso = getSPSSOForAuthnReq(realm, spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.SP_METADATA_ERROR, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings List extensionsList = getExtensionsList(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get IDP Descriptor
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings IDPSSODescriptorElement idpsso = getIDPSSOForAuthnReq(realm, idpEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.IDP_METADATA_ERROR, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List ssoServiceList = idpsso.getSingleSignOnService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String ssoURL = getSSOURL(ssoServiceList, binding);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.error(Level.INFO, LogUtil.SSO_NOT_FOUND, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings throw new SAML2Exception(SAML2Utils.bundle.getString("ssoServiceNotfound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create AuthnRequest
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID, paramsMap, spConfigAttrsMap,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings extensionsList, spsso, idpsso, ssoURL, false);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter class if registered
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2ServiceProviderAdapter spAdapter = SAML2Utils.getSPAdapterClass(spEntityID, realmName);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings spAdapter.preSingleSignOnRequest(spEntityID, idpEntityID, realmName, request, response, authnRequest);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String authReqXMLString = authnRequest.toXMLString(true, true);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate: AuthnRequest:" + authReqXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Default URL if relayState not present? in providerConfig?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO get Default URL from metadata
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String relayState = getParameter(paramsMap, SAML2Constants.RELAY_STATE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Validate the RelayState URL.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.validateRelayStateURL(realm, spEntityID, relayState, SAML2Constants.SP_ROLE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // check if relayState is present and get the unique
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // id which will be appended to the SSO URL before
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // redirecting.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (relayState != null && relayState.length() > 0) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings relayStateID = getRelayStateID(relayState, authnRequest.getID());
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (binding.equals(SAML2Constants.HTTP_POST)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String encodedReqMsg = getPostBindingMsg(idpsso, spsso, spConfigAttrsMap, authnRequest);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.postToTarget(request, response, "SAMLRequest", encodedReqMsg, "RelayState", relayStateID, ssoURL);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String redirect = getRedirect(authReqXMLString, relayStateID, ssoURL, idpsso, spsso, spConfigAttrsMap);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings LogUtil.access(Level.INFO, LogUtil.REDIRECT_TO_IDP, data, null);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings new AuthnRequestInfo(request, response, realm, spEntityID,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings idpEntityID, authnRequest, relayState, paramsMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(authnRequest.getID(),reqInfo);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest:"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " SAVE AuthnRequestInfoCopy for requestID " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate.initiateAuthnRequest: There was a problem saving the " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate: Exception :",ioe);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("errorCreatingAuthnRequest"));
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata", sme);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the redirect String.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param authReqXMLString Auth Request XML.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param relayStateID the id of the relay state
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param ssoURL the url for the reidrect
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpsso the idp descriptor to use
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spsso the sp descriptor to use
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigAttrsMap the sp configuration details
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a String to use for the redirect request.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception if there is a problem creating the redirect string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getRedirect(String authReqXMLString, String relayStateID, String ssoURL,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings IDPSSODescriptorElement idpsso, SPSSODescriptorElement spsso, Map spConfigAttrsMap)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings // encode the xml string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String encodedXML = SAML2Utils.encodeForRedirect(authReqXMLString);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings StringBuilder queryString = new StringBuilder();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings queryString.append(SAML2Constants.SAML_REQUEST).append(SAML2Constants.EQUAL).append(encodedXML);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if ((relayStateID != null) && (relayStateID.length() > 0)) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings queryString.append("&").append(SAML2Constants.RELAY_STATE)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings new StringBuilder().append(ssoURL).append(ssoURL.contains("?") ? "&" : "?");
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings // sign the query string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (idpsso.isWantAuthnRequestsSigned() || spsso.isAuthnRequestsSigned()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String certAlias = getParameter(spConfigAttrsMap, SAML2Constants.SIGNING_CERT_ALIAS);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String signedQueryStr = signQueryString(queryString.toString(), certAlias);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the SP SSO Descriptor for the given sp entity id in the given realm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm the sp is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spEntityID the entity id of the sp to get the Descriptor for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the SPSSODescriptorElement for the requested sp entity
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException if there is a problem looking up the SPSSODescriptorElement.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static SPSSODescriptorElement getSPSSOForAuthnReq(String realm, String spEntityID)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return sm.getSPSSODescriptor(realm, spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the Configuration attributes for the given sp entity id in the given realm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm the sp is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spEntityID the entity id of the sp to get the attributes map for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a map of SAML2 Attributes with String keys mapped to a collection of values
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static Map<String, Collection<String>> getAttrsMapForAuthnReq(String realm, String spEntityID)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SPSSOConfigElement spEntityCfg = sm.getSPSSOConfig(realm, spEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the IDP SSO Descriptor for the given sp entity id in the given realm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm the idp is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpEntityID the entity id of the idp[ to get the Descriptor for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the SPSSODescriptorElement for the requested idp entity
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2MetaException if there is a problem looking up the IDPSSODescriptorElement.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static IDPSSODescriptorElement getIDPSSOForAuthnReq(String realm, String idpEntityID)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return sm.getIDPSSODescriptor(realm, idpEntityID);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the Post Binding message
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpsso
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spsso
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigAttrsMap
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param authnRequest
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getPostBindingMsg(IDPSSODescriptorElement idpsso, SPSSODescriptorElement spsso,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings Map spConfigAttrsMap, AuthnRequest authnRequest)
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings if (idpsso.isWantAuthnRequestsSigned() || spsso.isAuthnRequestsSigned()) {
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String certAlias = getParameter(spConfigAttrsMap, SAML2Constants.SIGNING_CERT_ALIAS);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings String authXMLString = authnRequest.toXMLString(true, true);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SAML2Utils.debug.message("SPSSOFederate.initiateAuthnRequest: SAML Response content :\n" + authXMLString);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings return SAML2Utils.encodeForPOST(authXMLString);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Parses the request parameters and builds ECP Request to sent to the IDP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param response the HttpServletResponse.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws SAML2Exception if error creating AuthnRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @throws IOException if error sending AuthnRequest to ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static void initiateECPRequest(HttpServletRequest request,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalid HTTP request from ECP.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "invalidHttpRequestFromECP",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("invalidHttpRequestFromECP"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String metaAlias = request.getParameter("metaAlias");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map paramsMap = SAML2Utils.getParamsMap(request);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get the sp entity ID from the metaAlias
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String spEntityID = sm.getEntityByMetaAlias(metaAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String realm = getRealm(SAML2MetaUtils.getRealmByMetaAlias(metaAlias));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spEntityID is " + spEntityID + ", realm is " + realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Retreive MetaData
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("errorMetaManager"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spConfigAttrsMap = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get SPSSODescriptor
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO,LogUtil.SP_METADATA_ERROR,data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.RECEIVED_HTTP_REQUEST_ECP, data,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings List extensionsList = getExtensionsList(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // create AuthnRequest
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster AuthnRequest authnRequest = createAuthnRequest(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paramsMap, spConfigAttrsMap, extensionsList, spsso, null, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // invoke SP Adapter class if registered
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAdapterClass(spEntityID, realm);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster spAdapter.preSingleSignOnRequest(spEntityID, realm, null,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String alias = SAML2Utils.getSigningCertAlias(realm, spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyUtil.getKeyProviderInstance().getPrivateKey(alias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to find signing key.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPFactory ecpFactory = ECPFactory.getInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Default URL if relayState not present? in providerConfig?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // TODO get Default URL from metadata
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (relayState != null && relayState.length()> 0) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String relayStateID = getRelayStateID(relayState,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPRelayState ecpRelayState = ecpFactory.createECPRelayState();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayState.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRelayStateXmlStr = ecpRelayState.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ECPRequest ecpRequest = ecpFactory.createECPRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIssuer(createIssuer(spEntityID));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setActor(SAML2Constants.SOAP_ACTOR_NEXT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.setIsPassive(authnRequest.isPassive());
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List idps = ecpIDPFinder.getPreferredIDP(authnRequest,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster for(Iterator iter = idps.iterator(); iter.hasNext();) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpDesc = saml2MetaManager
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry idpEntry = ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance()
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map attrs = SAML2MetaUtils.getAttributes(spEntityCfg);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.ECP_REQUEST_IDP_LIST_GET_COMPLETE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Constants.PAOS_ECP_SERVICE, null, Boolean.TRUE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster paosRequestXmlStr = paosRequest.toXMLString(true, true);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest:",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ecpRequest.toXMLString(true, true) + ecpRelayStateXmlStr;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String body = authnRequest.toXMLString(true, true);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings SOAPMessage reply = SOAPCommunicator.getInstance().createSOAPMessage(header, body,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings data2[2] = SOAPCommunicator.getInstance().soapMessageToString(reply);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.access(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST, data2,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Need to call saveChanges because we're
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // going to use the MimeHeaders to set HTTP
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // response information. These MimeHeaders
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // are generated as part of the save.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.putHeaders(reply.getMimeHeaders(), response);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster response.setContentType(PAOSConstants.PAOS_MIME_TYPE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Write out the message on the response stream
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest",
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster LogUtil.error(Level.INFO, LogUtil.SEND_ECP_PAOS_REQUEST_FAILED,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new AuthnRequestInfo(request,response,realm,spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.requestHash.put(authnRequest.getID(),reqInfo);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, new AuthnRequestInfoCopy(reqInfo), sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:"
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper + " SAVE AuthnRequestInfoCopy for requestID " + key);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate.initiateECPRequest: There was a problem saving the " +
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper "AuthnRequestInfoCopy in the SAML2 Token Repository for requestID " + key, e);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.error("SPSSOFederate:Error retrieving metadata" ,sme);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper throw new SAML2Exception(SAML2Utils.bundle.getString("metaDataError"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Checks if the request is from ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @param request the HttpServletRequest.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * @return true if the request is from ECP.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static boolean isFromECP(HttpServletRequest request) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "no PAOS header");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Map svcOpts = paosHeader.getServicesAndOptions();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (!svcOpts.containsKey(SAML2Constants.PAOS_ECP_SERVICE))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate.initiateECPRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "PAOS header doesn't contain ECP service");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String acceptHeader = request.getHeader("Accept");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return false;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (acceptHeader.indexOf(PAOSConstants.PAOS_MIME_TYPE) != -1);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create NameIDPolicy Element */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static NameIDPolicy createNameIDPolicy(String spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String format, boolean allowCreate, SPSSODescriptorElement spsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPSSODescriptorElement idpsso, String realm, Map paramsMap)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster format = SAML2Utils.verifyNameIDFormat(format, spsso, idpsso);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createNameIDPolicy();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster sm.getAffiliationDescriptor(realm, affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "affiliationNotFound"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (!affiDesc.getAffiliateMember().contains(spEntityID)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "spNotAffiliationMember"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicy.setSPNameQualifier(affiliationID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Create Issuer */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Issuer createIssuer(String spEntityID)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Issuer issuer = AssertionFactory.getInstance().createIssuer();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Create an AuthnRequest.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realmName the authentication realm for this request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spEntityID the entity id for the service provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param paramsMap the map of parameters for the authentication request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigMap the configuration map for the service provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param extensionsList a list of extendsions for the authentication request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spsso the SPSSODescriptorElement for theservcie provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param idpsso the IDPSSODescriptorElement for the identity provider
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param ssourl the url for the single sign on request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param isForECP boolean to indicatge if the request originated from an ECP
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a new AuthnRequest object
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static AuthnRequest createAuthnRequest(final String realmName,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final boolean isForECP) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // generate unique request ID
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((requestID == null) || (requestID.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("cannotGenerateID"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // retrieve data from the params map and if not found get
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // default values from the SPConfig Attributes
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // destinationURI required if message is signed.
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper Boolean isPassive = doPassive(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper Boolean isforceAuthn = isForceAuthN(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper boolean allowCreate = isAllowCreate(paramsMap, spConfigMap);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper boolean includeRequestedAuthnContextFlag = includeRequestedAuthnContext(paramsMap, spConfigMap);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String consent = getParameter(paramsMap,SAML2Constants.CONSENT);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Extensions extensions = createExtensions(extensionsList);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String nameIDPolicyFormat = getParameter(paramsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get NameIDPolicy Element
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster NameIDPolicy nameIDPolicy = createNameIDPolicy(spEntityID,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster nameIDPolicyFormat, allowCreate, spsso, idpsso, realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer acsIndex = getIndex(paramsMap,SAML2Constants.ACS_URL_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Integer attrIndex = getIndex(paramsMap,SAML2Constants.ATTR_INDEX);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String protocolBinding = isForECP ? SAML2Constants.PAOS :
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster OrderedSet acsSet = getACSUrl(spsso,protocolBinding);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster realmName, spEntityID, SAML2Constants.ACS_SERVICE,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate.createAuthnRequest:" +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String[] data = { spEntityID, protocolBinding };
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Level.INFO, LogUtil.BINDING_NOT_SUPPORTED, data, null);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.bundle.getString("unsupportedBinding"));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createAuthnRequest();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((destinationURI == null) || (destinationURI.length() == 0)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setDestination(XMLUtils.escapeSpecialCharacters(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAttributeConsumingServiceIndex(attrIndex);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setAssertionConsumerServiceIndex(acsIndex);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper authnReq.setRequestedAuthnContext(createReqAuthnContext(realmName, spEntityID, paramsMap, spConfigMap));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // Required attributes in authn request
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster authnReq.setVersion(SAML2Constants.VERSION_2_0);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((enableIDPProxy != null) && enableIDPProxy.booleanValue())
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String proxyCountParam = getParameter(spConfigMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyCountParam != null && (!proxyCountParam.equals(""))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster scoping.setProxyCount(new Integer(proxyCountParam));
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (proxyIDPs != null && !proxyIDPs.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPEntry entry = ProtocolFactory.getInstance().
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster IDPList idpList = ProtocolFactory.getInstance().
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Returns value of an boolean parameter in the SP SSO Config.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param attrMap the map of attributes for the sso config
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param attrName the key to get the boolean value for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the value of the parameter in the sso config or null if the attribute was not found or was
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * not a boolean parameter
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static Boolean getAttrValueFromMap(final Map attrMap, final String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String attrVal = getParameter(attrMap,attrName);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Returns the SingleSignOnService URL.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param ssoServiceList list of sso services
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param binding binding of the sso service to get the url for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a string url for the sso service
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getSSOURL(List ssoServiceList, String binding) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((ssoServiceList != null) && (!ssoServiceList.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster while (i.hasNext()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster + " SingleSignOnService URL :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * Returns an Ordered Set containing the AssertionConsumerServiceURL
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster * and AssertionConsumerServiceIndex.
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster static OrderedSet getACSUrl(SPSSODescriptorElement spsso,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((binding != null) && (binding.length() > 0) &&
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (binding.indexOf(SAML2Constants.BINDING_PREFIX) == -1)) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster new StringBuffer().append(SAML2Constants.BINDING_PREFIX)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List acsList = spsso.getAssertionConsumerService();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (responseBinding == null || responseBinding.length() ==0 )) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: AssertionConsumerService :"
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Fills in the realm with the default top level realm if it does not contain a more specific subrealm.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * i.e. if it is null or empty it becomes "/"
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the current realm
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the realm to use
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String getRealm(final String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return ((realm == null) || (realm.length() == 0)) ? "/" : realm;
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets isPassive attribute from the config map and parameters map.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param paramsMap the map of the parameters
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param spConfigAttrsMap the map of the configuration
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return boolean to indicate if the request should be passive
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Boolean doPassive(Map paramsMap,Map spConfigAttrsMap){
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // get isPassive
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster getParameter(paramsMap,SAML2Constants.ISPASSIVE);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (isPassiveStr.equals(SAML2Constants.FALSE))))) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isPassive = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: isPassive : " + isPassive);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (isPassive == null) ? Boolean.FALSE : isPassive;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns value of ForceAuthn */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Boolean isForceAuthN(Map paramsMap,Map spConfigAttrsMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String forceAuthn = getParameter(paramsMap,SAML2Constants.FORCEAUTHN);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster isforceAuthn = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:ForceAuthn: " + forceAuthn);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return (isforceAuthn == null) ? Boolean.FALSE : isforceAuthn;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* get value of AllowCreate */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static boolean isAllowCreate(Map paramsMap,Map spConfigAttrsMap) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster //assuming default true?
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ((allowCreateStr.equals(SAML2Constants.TRUE) ||
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster (allowCreateStr.equals(SAML2Constants.FALSE))))
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster allowCreate = new Boolean(allowCreateStr).booleanValue();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster Boolean val = getAttrValueFromMap(spConfigAttrsMap,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:AllowCreate:"+ allowCreate);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper private static boolean includeRequestedAuthnContext(Map paramsMap, Map spConfigAttrsMap) {
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper // Default to true if this flag is not found to be backwards compatible.
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper boolean result = true;
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper // Check the parameters first in case the request wants to override the metadata value.
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper Boolean val = getAttrValueFromMap(paramsMap, SAML2Constants.INCLUDE_REQUESTED_AUTHN_CONTEXT);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper val = getAttrValueFromMap(spConfigAttrsMap, SAML2Constants.INCLUDE_REQUESTED_AUTHN_CONTEXT);
41a9970725e78d29b2f5e82518e354ce972cec53Mark de Reeper SAML2Utils.debug.message("SPSSOFederate:includeRequestedAuthnContext:" + result);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Returns the AssertionConsumerServiceURL Index */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static Integer getIndex(Map paramsMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster String index = getParameter(paramsMap,attrName);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the query parameter value for the param specified.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param paramsMap the map of parameters
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param attrName the parameter name to get the value for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the string value for the given parameter
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getParameter(Map paramsMap,String attrName) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((paramsMap != null) && (!paramsMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster List attrValList = (List)paramsMap.get(attrName);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (attrValList != null && !attrValList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster attrVal = (String) attrValList.iterator().next();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the extensions list for the sp entity.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param entityID the entity of the id for get the extensions list for
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param realm the realm that the entity is configured in
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return a List ofd the extensions for the sso request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static List getExtensionsList(String entityID,String realm) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster EntityDescriptorElement ed = sm.getEntityDescriptor(realm,entityID);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.jaxb.metadata.ExtensionsType ext =
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:Error retrieving " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "EntityDescriptor");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static com.sun.identity.saml2.protocol.Extensions
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster createExtensions(List extensionsList) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster com.sun.identity.saml2.protocol.Extensions extensions=null;
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if (extensionsList != null && !extensionsList.isEmpty()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster ProtocolFactory.getInstance().createExtensions();
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Gets the Relay State ID for the request.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param relayState the relay state
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param requestID the request id
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the relay state id
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster public static String getRelayStateID(String relayState, String requestID) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SPCache.relayStateHash.put(requestID, new CacheObject(relayState));
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper if (SAML2FailoverUtils.isSAML2FailoverEnabled()) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster // sessionExpireTime is counted in seconds
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper long sessionExpireTime = System.currentTimeMillis() / 1000 + SPCache.interval;
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // Need to make the key unique due to the requestID also being used to
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper // store a copy of the AuthnRequestInfo
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2FailoverUtils.saveSAML2TokenWithoutSecondaryKey(key, relayState, sessionExpireTime);
7be5aa496ae10e8d30aa6675df55e074cbb5cfedMark de Reeper SAML2Utils.debug.message("SPSSOFederate.getRelayStateID: SAVE relayState for requestID "
80849398a45dca1fb917716907d6ec99be6222c2Peter Major SAML2Utils.debug.error("SPSSOFederate.getRelayStateID: Unable to SAVE relayState for requestID "
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster /* Creates RequestedAuthnContext Object */
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster private static RequestedAuthnContext createReqAuthnContext(String realmName,
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster if ((spConfigMap != null) && (!spConfigMap.isEmpty())) {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster className = ((String) listVal.iterator().next()).trim();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.getSPAuthnContextMapper(realmName,spEntityID,className);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:Error creating " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "RequestedAuthnContext",e);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Signs the query string.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param queryString the query string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param certAlias the certificate alias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @return the signed query string
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static String signQueryString(final String queryString, final String certAlias)
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate:queryString:"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.message("SPSSOFederate: certAlias :"
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster PrivateKey privateKey = kp.getPrivateKey(certAlias);
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster return QuerySignatureUtil.sign(queryString,privateKey);
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * Sign an authentication request.
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param certAlias the certificate alias
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @param authnRequest the authentication request to sign
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings * @throws SAML2Exception the signed authentication request
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings public static void signAuthnRequest(final String certAlias,
449854c2a07b50ea64d9d6a8b03d18d4afeeee43Ken Stubbings final AuthnRequest authnRequest) throws SAML2Exception {
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster KeyProvider kp = KeyUtil.getKeyProviderInstance();
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster SAML2Utils.debug.error("SPSSOFederate:signAuthnRequest: " +
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "Unable to get a key provider instance.");
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster throw new SAML2Exception(SAML2Utils.bundle.getString(
a688bcbb4bcff5398fdd29b86f83450257dc0df4Allan Foster "nullKeyProvider"));